The objective of this section is to list the requirements that need to be fulfilled to install Azure AD Sync in your environment.
Azure AD Sync enables you to integrate your on-premises Active Directory Domain Service with your Azure AD directory.
As a consequence of this, you need access to your on-premises Active Directory Domain Service as well as access to a valid Azure subscription that has an Azure AD directory installed.

To install Azure AD Sync, you need a computer running the Windows Server operating system.
The following versions are supported:

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Your computer can be stand-alone, a member server or a domain controller.
The following components need to be installed:

.Net 4.5.1

PowerShell (PS3 or better is required)

You need an account with local administrator privileges on your computer to install Azure AD Sync.

Azure AD Sync requires a SQL Server database to store identity data. By default a SQL Express LocalDB (a light version of SQL Server Express) is installed and the service account for the service is created on the local machine.
SQL Server Express has a 10GB size limit that enables you to manage approximately 100.000 objects.

If you need to manager a higher volume of directory objects, you need to point the installation process to a different version of SQL Server.
AAD Sync supports all flavors of Microsoft SQL Server from SQL Server 2008 to SQL Server 2014.

When you configure Azure AD Sync, you need to provide the credentials of an account that is used by Azure AD Sync to connect to your AD DS.
You can use a regular user account because the account only needs the default read permissions.

The following sections provide more details about the permissions required by the AD DS account and the attributes it needs access to.

If you want to enable password synchronization between your on-premises AD DS and your Azure Active Directory for your users, you need to grant the following permissions to the account that is used by Azure AD Sync to connect to your AD DS:

Replicating Directory Changes

Replicating Directory Changes All

Both permissions are required to enable the account to read password hashes from your on-premises AD DS.

If you want to enable rich co-existence between your on-premises Exchange infrastructure and Office 365 (Exchange Hybrid), you can do this by selecting the Exchange hybrid deployment optional feature. When selecting this feature, you enable AAD Sync to write-back attributes to your on-premises environment.

The following table lists the attributes per object type that require write-back:

The password write-back feature provides your users with a convenient method to reset their on-premises passwords in the cloud. During the configuration of Azure AD Sync, you can activate password write-back as optional feature.

For each forest you have configured in Azure AD Sync, the account you have specified for a forest in the wizard must be given the “Reset-Password” and “Change Password” extended rights on the root object of each domain in the forest. The right should be marked as inherited by all user objects.

Use the following procedure to setup permissions on each of the accounts you have configured.

To start the installation process, launch the executable called MicrosoftAzureADConnectionTool.exe.
This self-extracting executable puts all required files on the local drive and starts the installation process.
If you cancel the installation procedure, a shortcut is being created in the start menu and on the desktop.

If you need to use SQL Server or a domain account for the service account you need to cancel the wizard now. Up to this point, the installation process has already created a local folder that includes Azure AD Sync related files. You need the content of this folder to rerun the installation process with parameters.

To connect to your Active Directory Domain Service, the Azure AD Sync tool needs the credentials of an account with sufficient permissions.For more details, see Create an AD account to connect to AD DS.

The Matching across forests feature allows you to define how users from your ADDS forests are represented in Azure AD.
A user might either be represented only once across all forests or have a combination of enabled and disabled accounts.

Setting

Description

My users are only represented once across all forests

All users are created as individual objects in Azure AD. The objects are not joined in the metaverse.

Mail attribute

This option joins users and contacts if the mail attribute has the same value in different forests. It is recommended to use this option when your contacts have been created using GALSync.

ObjectSID and msExchangeMasterAccountSID

This option joins an enabled user in an account forest with a disabled user in an Exchange resource forest. This is also known as linked mailbox in Exchange.

sAMAccountName and MailNickName

This option joins on attributes where it is expected the login ID for the user can be found.

My own attribute

This option allows you to select your own attribute. Limitation in CTP: Make sure to pick an attribute which will already exist in the metaverse. If you pick a custom attribute the wizard will not be able to complete.

You can use this option to specify the attribute you want to use for identity federation. The sourceAnchor attribute is an attribute which is not changing during the lifetime of a user object. In single-forest and environments and where the account is never moved between forests, then objectGUID is a good candidate. If the user is moved between forests or domains, then an alternative attribute must be selected.

The userPrincipalName attribute is the user’s login ID in Azure AD. By default the userPrincipalName attribute in ADDS is used. If this attribute is not routable or not suitable as the login ID a different attribute, such as mail, can be selected in the installation guide.

If you want to limit which attributes to synchronize to Azure AD, then start by selecting which services you are using, If you configure this page, any new service has to be selected explicitly by re-running the installation guide.

Based on the services selected in the previous step, this page will show all attributes which will be synchronized. This list is a combination of all object types being synchronized. If there are some particular attributes you need to not synchronize, you can unselect those. In the picture above the extensionAttributes and homePhone has been unselected and will not synchronize to Azure AD.

This page provides you with summary of your configuration. You should carefully review this summary before you proceed with the next page.If this step fails with an “Unable to communicate with the Windows Azure Active Directory service” error and you have a proxy server configured, you should add proxy settings to the “machine.config” file of your Azure AD Sync computer.
For more details, see <proxy> Element (Network Settings).

A default configuration has now been created and if you are ready to start synchronizing, then click Finish.
If you need to make some additional configuration before you start synchronization, then unselect the Synchronize now checkbox before you click Finish. This will create a disabled task in task scheduler. When you are done with your configuration, start the periodic synchronization by enabling this task.

After completing uncheck the synchronize now option.

Run a full Sync using C:Program FilesMicrosoft Azure AD SyncBin>DirectorySyncClientCmd.exe initial

Sync Successful

Azure AD Full Synchronization

We’ve a utility called DirectorySyncClientCmd.exe which executes the sequence of actions to synchronize on prem identities with office 365.

To run a full synchronization browse to “C:Program FilesMicrosoft Azure AD SyncBinDirectorySyncClientCmd.exe initial

It’s recommended that you perform a full synchronization after making a major change in your Azure AD Sync configuration like enabling password synchronization for user.

Azure AD Delta Synchronization

To perform the delta synchronization with Office 365, we need the same executable to perform delta synchronization of users from on prem to office 365. By default Azure AD Sync tool performs delta sync after every 3 hours. Later in this article we’ll learn on how we can change the default sync time of the tool.

Azure Active Directory is a service that provides comprehensive identity and access management capabilities in the cloud. It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers. For more information, see this video.

Built on top of a large set of free capabilities in Microsoft Azure Active Directory, Azure Active Directory Premium and Basic editions provide a set of more advanced features to empower enterprises with more demanding identity and access management needs. For the pricing options for these editions, see Azure Active Directory Pricing. When you subscribe to Azure, you get your choice of the following free and paid editions of Azure Active Directory:

Free – With the Free edition of Azure Active Directory, you can manage user accounts, synchronize with on-premises directories, get single sign on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, and more.

Premium – With the Premium edition of Azure Active Directory, you get all of the capabilities that he Azure Active Directory Free and Basic editions have to offer, plus additional feature-rich enterprise-level identity management capabilities explained below.

Azure Active Directory Premium and Azure Active Directory Basic are not currently supported in China. Please contact us at the Azure Active Directory Forum for more

Azure Active Directory editions

Published: November 21, 2013

Updated: May 5, 2015

Applies To: Azure, Azure Active Directory, Office 365

Azure Active Directory is a service that provides comprehensive identity and access management capabilities in the cloud. It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers. For more information, see this video.

Built on top of a large set of free capabilities in Microsoft Azure Active Directory, Azure Active Directory Premium and Basic editions provide a set of more advanced features to empower enterprises with more demanding identity and access management needs. For the pricing options for these editions, see Azure Active Directory Pricing. When you subscribe to Azure, you get your choice of the following free and paid editions of Azure Active Directory:

Free – With the Free edition of Azure Active Directory, you can manage user accounts, synchronize with on-premises directories, get single sign on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, and more.

Premium – With the Premium edition of Azure Active Directory, you get all of the capabilities that he Azure Active Directory Free and Basic editions have to offer, plus additional feature-rich enterprise-level identity management capabilities explained below.

Active Directory Basic edition is a paid offering of Azure Active Directory and includes all of the features of the Free edition plus the following features:

Company branding – To make the end user experience even better, you can add your company logo and color schemes to your organization’s Sign In and Access Panel pages. Once you’ve added your logo, you also have the option to add localized versions of the logo for different languages and locales.For more information, see Add company branding to your Sign In and Access Panel pages.

Group-based application access – Use groups to provision users and assign user access in bulk to thousands of SaaS applications. These groups can either be created solely in the cloud or you can leverage existing groups that have been synced in from your on-premises Active Directory.For more information, see Assign access for a group to a SaaS application in Azure AD.

Self-service password reset – Azure has always allowed directory administrators to reset passwords. With Azure Active Directory Basic, you can now reduce helpdesk calls when your users forget a password by giving all users in your directory the capability to reset their password, using the same sign in experience they have for Office 365.For more information, see Password Management in Azure AD.

Active Directory Premium edition is a paid offering of Azure Active Directory and includes all of the features of the Free and Basic editions plus the following features:

Self-service group management – Azure Active Directory Premium simplifies day-to-day administration of groups by enabling users to create groups, request access to other groups, delegate group ownership so others can approve requests and maintain their group’s memberships.For more information, see Self-service group management for users in Azure AD.

Advanced security reports and alerts – Monitor and protect access to your cloud applications by viewing detailed logs showing more advanced anomalies and inconsistent access pattern reports. Advanced reports are machine learning-based and can help you gain new insights to improve access security and respond to potential threats.For more information, see View your access and usage reports.

Multi-Factor Authentication – Multi-Factor Authentication is now included with Premium and can help you to secure access to on-premises applications (VPN, RADIUS, etc.), Azure, Microsoft Online Services like Office 365 and Dynamics CRM Online, and thousands of Non-MS Cloud services preintegrated with Azure Active Directory. Simply enable Multi-Factor Authentication for Azure Active Directory identities, and users will be prompted to set up additional verification the next time they sign in.For more information, see Adding Multi-Factor Authentication to Azure Active Directory.

Microsoft Identity Manager (MIM) – Premium comes with the option to grant rights to use a MIM server (and CALs) in your on-premises network to support any combination of Hybrid Identity solutions. This is a great option if you have a variation of on-premises directories and databases that you want to sync directly to Azure Active Directory. There is no limit on the number of FIM servers you can use, however, MIM CALs are granted based on the allocation of an Azure Active Directory premium user license.For more information, see Deploy MIM 2010 R2.

Azure Active Directory Basic and Azure Active Directory Premium have more advanced capabilities to help streamline enterprise-level administrative tasks and make an administrator’s life easier. The following table describes common admin benefits and how signing up for Azure Active Directory Basic or Azure Active Directory Premium help simplify them.

1 The 500k object limit does not apply for Office 365, Windows Intune or any other Microsoft online service that relies on Azure Active Directory for directory services.

2 With Azure Active Directory Free and Azure Active Directory Basic, end users who have been assigned access to each SaaS app, can see up to 10 apps in their Access Panel and get SSO access to them (assuming they have first been configured with SSO by the admin). Admins can configure SSO and assign user access to as many SaaS apps as they want with Free, however end users will only see 10 apps in their Access Panel at a time.

Self-service application requests: Administrators can provide a list of SaaS apps to users from which so that users can choose the ones they want to use, and the apps either will be available immediately or after approval.

Azure reporting API: data for every security report of Azure Active Directory will be available to other monitoring or SIEM tools.

To configure user password reset policy, complete the following steps:

Open a browser of your choice and go to the Azure Management Portal.

In the Azure Management Portal, find the Active Directory extension on the navigation bar on the left hand side.

Under the Directory tab, click the directory in which you want to configure the user password reset policy, for example, Wingtip Toys.

Click the Configure tab.

Under the Configure tab, scroll down to the user password reset policy section. This is where you configure every aspect of user password reset policy for a given directory. This policy applies only to end users in your organization, not administrators. For security reasons, Microsoft controls the password reset policy for administrators. If you do not see this section, make sure that you have signed up for the Azure Active Directory Premium and Basic and assigned a license to the administrator account that is configuring this feature.

To configure the user password reset policy, slide the users enabled for password reset toggle to the yes setting. This reveals several more controls which enable you to configure how this feature works in your directory. Feel free to customize password reset as you see fit. If you’d like to learn more about what each of the password reset policy controls does, please see Self-service password reset in Azure AD: how to customize password reset to meet your needs.

After configuring user password reset policy as desired for your tenant, click the Save button at the bottom of the screen.

Note

A two challenge user password reset policy is recommended so that you can see how the functionality works in the most complex case.

Require users to register for password reset when they sign in to the Access Panel at http://myapps.microsoft.com by setting the Require users to register SSPR configuration option to Yes.

The following table outlines where and how this data is used during password reset and is designed to help you decide which of the above methods you want to use. This table also shows any formatting requirements for cases where you are providing data on behalf of users from input paths that do not validate this data.

In order to use the password reset registration portal, you must provide the users in your organization with a link to this page (http://aka.ms/ssprsetup) or turn on the option to require users to register automatically. Once they click this link, they are asked to sign in with their organizational account. After doing so, they see the following page:

Here, users can provide and verify their mobile phone or alternate email address. This is what verifying a mobile phone looks like.

After a user specifies this information, the page will update to indicate that the information is valid (it has been obfuscated below). By clicking the finish or cancel buttons, the user will be brought to the Access Panel.

Once a user verifies both of these pieces of information, his or her profile will be updated with the data he or she provided. In this example, the Office Phone number has been specified manually, so the user can also use that as a contact method for resetting his or her password.

If you go to a site like portal.microsoftonline.com, you’ll see a login screen like the below. Click the “can’t access your account” link to test the password reset UI.

After clicking “can’t access your account”, you are brought to a new page which will ask for a user ID for which you wish to reset a password. Enter your test user ID here, pass the captcha, and click “next”.

Since the user has specified an office phone, mobile phone, and alternate email in this case, you see that he has been given all of those as options to pass the first challenge.

In this case, choose to call the office phone first. Note that when selecting a phone-based method, users will be asked to verify their phone number before they can reset their passwords. This is to prevent malicious individuals from spamming phone numbers of users in your organization.

Once the user confirms their phone number, clicking call wall cause a spinner to appear and his or her phone to ring. A message will play once he or she picks up your phone indicating that the user should press “#” to verify his or her account. Pressing this key will automatically verify that the user possesses the first challenge and advance the UI to the second verification step.

Once you’ve passed the first challenge, the UI is automatically updated to remove it from the list of choices the user has. In this case, because you used your Office Phone first, only Mobile Phone and Alternate Email remain as valid options to use as the challenge for the second verification step. Click on the Email my alternate email option. After you have done that, pressing email will email the alternate email on file.

Here is a sample of an email that users will see – notice the tenant branding:

Once the email arrives, the page will update, and you’ll be able to enter the verification found in the email in the input box shown below. After a proper code is entered, the next button lights up, and you are able to pass through the second verification step.

Once you’ve met the requirements of the organizational policy, you are allowed to choose a new password. The password is validated based it meets AAD “strong” password requirements (Password policy in Azure AD), and a strength validator appears to indicate to the user whether the password entered meets that policy.

Once you provide matching passwords that meet the organizational policy, your password is reset and you can log in with your new password immediately.